Platform
python
Component
strawberry-graphql
Fixed in
0.312.4
0.312.3
CVE-2026-35526 describes a denial-of-service (DoS) vulnerability within Strawberry GraphQL, a Python library for building GraphQL APIs. This flaw arises from the uncontrolled allocation of asynchronous tasks for incoming subscription messages, allowing an attacker to overwhelm the server. Versions 0.0.0 through 0.312.2 are affected; upgrading to version 0.312.3 resolves the issue.
The vulnerability allows an unauthenticated attacker to initiate a single WebSocket connection and then rapidly send a flood of unique subscription messages. Each message triggers the creation of a new asyncio.Task and associated Operation object, without any rate limiting. This uncontrolled task creation can quickly exhaust server resources, including CPU, memory, and potentially network bandwidth. The result is a denial of service, preventing legitimate users from accessing the GraphQL API. The blast radius extends to all users relying on the affected GraphQL endpoint, and the impact can be significant, especially in production environments.
This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a potential target. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. Active exploitation is not confirmed, but the lack of a required authentication makes it a high-priority concern.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Strawberry GraphQL to version 0.312.3 or later, which includes a fix to limit the number of active subscriptions per connection. If upgrading immediately is not feasible, consider implementing rate limiting on the WebSocket connection to restrict the number of subscription messages received per unit of time. Web application firewalls (WAFs) can be configured to detect and block suspicious patterns of subscription requests. Monitoring server resource utilization (CPU, memory) is crucial to identify potential DoS attacks.
Update Strawberry GraphQL to version 0.312.3 or higher to mitigate the denial-of-service vulnerability. This version introduces limits on the number of active WebSocket subscriptions per connection, preventing excessive resource consumption and potential crashes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35526 is a denial-of-service vulnerability in Strawberry GraphQL versions 0.0.0 through 0.312.2, allowing attackers to exhaust server resources by flooding subscription messages.
If you are using Strawberry GraphQL versions 0.0.0 through 0.312.2, you are potentially affected by this vulnerability. Upgrade to 0.312.3 or later to mitigate the risk.
The recommended fix is to upgrade Strawberry GraphQL to version 0.312.3 or later. Consider implementing rate limiting on WebSocket connections as a temporary workaround.
Active exploitation has not been confirmed, but the vulnerability's ease of exploitation makes it a potential target. Continuous monitoring is advised.
Refer to the Strawberry GraphQL project's official advisory and release notes for detailed information and updates: [https://strawberry.py/docs/releases](https://strawberry.py/docs/releases)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.